#StackBounty: #magento-1.9 #database #security #sql #parameter Do bound parameters get escaped using the Core/Resource model?

Bounty: 50

Consider the following example:

$connection = Mage::getSingleton('core/resource')->getConnection('core_read');
$email_address = $_GET['email'];

$sql = 'SELECT * FROM `foo` WHERE `email_address` = ?';
$bar = $connection->fetchAll($sql, $email_address);

Does Magento handle escaping automatically, based on the bound parameters — or would this code be susceptible to SQL injection?

Source: How to mysql escape in magento?

I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters.

When looking at Mage_Core_Model_Resource, the getConnection method states:

 * Creates a connection to resource whenever needed
 * @param string $name
 * @return Varien_Db_Adapter_Interface

When looking at lib/Varien/Db/Adapter/Interface.php, the following comment is visible for the fetchOne method:

 * Safely quotes a value for an SQL statement.
 * If an array is passed as the value, the array values are quoted
 * and then returned as a comma-separated string.
 * @param mixed $value The value to quote.
 * @param mixed $type  OPTIONAL the SQL datatype name, or constant, or null.
 * @return mixed An SQL-safe quoted value (or string of separated values).

This seems to imply that the parameters are safely escaped. The same comments aren’t visible on the other fetch methods (i.e fetchRow, fetchAll etc).

Thus, would parsing user input values into the SQL statement using the fetchOne, fetchRow, fetchAll methods be susceptible to SQL injection — or would the parameters be safely escaped by the Variant Interface?

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.